Keltec site virus

Looks like they're getting hacked multiple times.

If that's the case, then they have a problem and need to shut down their web presence until it's been fixed. Also, looks like the site's still a no-go as of right now.
 
WARNING!

This is still an active problem! :mad: I got a vicious worm just from opening their home page today that has my IT guy replacing my hard drive now. Combofix was not effective.

The site really needs to come down until it is fixed.
 
That's not really how DNS works. If Kel-Tec owns "keltecweapons.com," they get to decide what IP address traffic is directed to.

Now it's very possible that once you have a virus on your own computer, you could be redirected to different websites but that's not what's going on here. That's what frustrates me with them at this point. If they can't get this fixed, they need to shut their site down until they can. I was ready to lay some tax return money down on a KSG up until now.
 
It has and does happen. That's the whole point. The DNS is redirected. If they know they have a virus, why would they leave their site up? It's a 30 second fix. You replace the site code with an uninfected backup copy. They can't do that because the traffic isn't getting to them. It's being redirected. No reputable company would leave an infected site online. Anybody who knows the first thing about computers could fix it in a minute but it's not that easy to fix a DNS redirect.
DNS hacks have happened many times.
 
I'm not going to go into all of the details, but when your computer looks up Keltecweapons.com, it doesn't get the IP address from Kel-Tec. It comes from your internet service provider. Unless all of our ISPs have been hacked by some organization with a vendetta against Kel-tec, that's not what's going on.

It's absolutely possible that their webpage is forwarding people to a different server, but if that were to happen the url in your browser's address bar would change.
 
I know how DNS works. There have been many DNS hacks over the years. Might not be that, might be.

Could also be SQL injection or an unpatched web server.
 
The site definitely has an issue...

It attempts to install an .exe that seems to be a 'server' app...

The file is named randomly, and in WINXP is installed in:

Documents and Settings/Administrator/Local Settings/Temp

Shields Up (GRC)
 
You're right. It is absolutely possible but according to their registrar, Domains Priced Right, the record hasn't been changed since August 21 of last year.
 
I did a little snooping, here's my best guess at what's going on.

$ nmap -P0 keltecweapons.com

Starting Nmap 5.51 ( http://nmap.org ) at 2012-02-08 21:13

Nmap scan report for keltecweapons.com (108.166.126.121)
Host is up (0.12s latency).
rDNS record for 108.166.126.121: 108-166-126-121.static.clo
Not shown: 990 filtered ports
PORT STATE SERVICE
20/tcp closed ftp-data
21/tcp open ftp
22/tcp open ssh
80/tcp open http
443/tcp open https
50000/tcp closed ibm-db2
50001/tcp closed unknown
50002/tcp closed iiimsf
50003/tcp closed unknown
50006/tcp closed unknown

Nmap done: 1 IP address (1 host up) scanned in 97.51 second

Each of those port numbers there correspond to a service running on whatever server keltecweapons.com points at. I can't think of a whole lot of good reasons to have anything other than 80 and 443 open on a webserver. Port 21 and 22 are used by well known web services and aren't necessarily telling of anything bad on their own until you add all of those "unknown" ports in the 50000 range.

If I were to bet on what's going on here, I'd say that someone found a way into their systems somehow. Maybe a keylogger that one of their employees picked up, SQL injection as Peetza mentioned or some other vulnerability.

Now the internet bad guy has free reign to hide the virus that we're all seeing on their front page and try to get as much personal data from the computers that are infected by the site.

Computers infected with viruses providing backdoor access like this (kel-tec's server and your computer if it was infected by it) are known as "zombies" and often traded like commodities around the circle of people who deal in this sort of thing. If you even suspect that your computer was a target, you really need to make sure that everything is cleaned up properly (pay someone if you need to) and then change the password to every single service that you use on the web. Email, online banking, this forum, etc.
 
Heck, I'm feeling nice tonight. If anybody from Kel-Tec is listening, here's the bit of offending HTML from the front page that's causing all of the mischief.

<iframe src="[VERY BAD LINK REMOVED]" width="10" style="visibility:hidden;position:absolute;left:0,top:0;">

Basically, it creates a tiny little invisible box in the top left hand of their page that contains some very bad web content from another server, the address to which I've removed.

Maybe Kel-Tec will send me that KSG I was wanting for free on account of all of this free consulting. :rolleyes:
 
As of about a minute ago, that frame no longer exists. I wonder if they actually are listening.

I wouldn't say that means that the site is safe to visit yet though. I'd wait for some sort of official announcement on their part. Plus, as of right now those nasty TCP ports are still open.
 
Good job!

They need to figure out a way to address this and prevent it from reoccurring. It's really bad for business.

"Don't go to the keltecweapons.com web site it's infected" isn't very good advertising.
 
That's the same site I used, make sure you download and run the TDSSKiller tool too, that's what cleaned up the rootkit in my MBR. Until I found and removed that I was still getting Google Redirect virus issues.

Bastards.
 
Thanks for the warning.

I delete everything I look at every night as well as clean disk and do the McAfee cleaning utility too.

Plus,I can always do a hard drive format if it gets bad-I have a disk that will auto load from the dvd drive and kill anything that's on the disk as well as all my data too.

Had to do that once-I fought that sucker back through several popup pages and turned off the surge protector to the computer before it could go really deep.

But I don't depend on my computer for much of anything anyway.

Frankly,if it was'nt for a few sites and the heatpump parts I am getting online for 10% of what a ac company would charge me,I'd take a sledge hammer to mine right now.

MASSIVE life wasters.

A billion times worse then television.
 
I haven't visited their site and don't plan to. I did get hit by a very vicious piece of malware about two years ago that was bad enough that I had to re-format the hard drive (on a side note, it did help to get rid of some of the junk).

It also managed to steal a "credit card" number that I used for online purchases. Fortunately, I have always been leery about sending my real credit card/debit card info over the net. I had purchased a pre-paid VISA card from AAA which I would load when I wanted to buy anything. The thieves only got about $10 and I got a different pre-paid card.

The point about all this is to recommend the use of these sorts of pre-paid cards. I am fairly computer savvy but sometimes even the pros get hit.
 
Back
Top